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s Why should safety be documented? 
¢ Safety has to be demonstrated and evidence supplied 
@ Safety must be auditable and traceable 
@ Safety needs verifiable information 
« Regulators need to see safety is under control 
@ Regulator requires that safety documentation can be reproduced 


« Evidence must be securely stored and backed up 


¢ 


Safety Documentation will be used through out the plant lifetime 
FSM can now be approved / certified by Third parties such as 


TUV Rheinland 
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IEC 61511 Safety life-cycle goals (Clause 6.2.3) 


1. ensure that the SIS safety requirements are achieved for all 
relevant modes of the process; this includes both function and 
safety integrity requirements; 


2. ensure proper installation and commissioning of the safety 
instrumented system; 


3. ensure the safety integrity of the safety instrumented functions 
after installation; 


4. maintain the safety integrity during operation (for example, proof 
testing, failure analysis); 


5. manage the process hazards during maintenance activities on 
the safety instrumented system. 
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=» Purpose of Functional Safety Management Systems 


« The purpose of the FSM system is to clearly describe the 
processes adopted by an organisation to assure the suitability and 
continuing functional integrity of safety instrumented systems 
essential to ensure the safety of hazardous processes 


@ The FSM approach based on the IEC 61511-1 lifecycle framework 
is considered to be one of the most effective means of recording 
how to generate, review, implement, verify and thereafter audit, 
revise and manage so as to achieve effective functional safety 
life-cycle operation of safety instrumented functions. 
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Functional Safety Engineering 


=» FSM procedures are required to increase the probability of 


avoiding systematic failures 


a 


Sa 


avoid systematic failures is given in: 
+ IEC 61508-2 — Annex B Tables B1-B5 


+ IEC 61508-3 - Annex B Tables A1-A10 


Typically due to human error so procedures are proven to work 


Guidance on the application of the techniques and measures to 


@ Guidance on assessing Software systematic capability is given in: 


+ IEC 61508-3 — Annex C 


a 


+a 


Techniques and measures are given for each phase of the lifecycle 


Techniques and measures need to be appropriate to Target SIL 
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Table B.1 — Techniques and measures to avoid mistakes during specification 


of E/E/PES design requirements (see 7.2) 


Functional Safety Engineering 


Technique/measure SIL1 SIL2 SIL3 SIL4 
IEC itt 508-7 
Project jeeranonar =| | 1.1 
i wed na 


high 


Structured [occa ae fication 


bs 
—— 

iow 
Separation of E/E/PE safety 
functions from non-safety functions law 


HR 
high 
HR 
high 


also ber B7 


IEC 508: 3 


oar 
ia medium 


Computer aided oar tools R 
medium 


Fite a of the specification 
Semi-formal methods B.2.3, see 


pennants. — — — -| methods Fa ———— | J 


All techniques marked “R” in the grey shaded group are et but at least one of these is required. 


pnedliin high 


For the verification of this safety lifecycle phase, at least one of the techniques or measures shaded grey in this table or listed 


in Table B.5 shall be used. 


NOTE 1 For the meaning of the entries under each safety integrity level, see the text preceding this table. 


NOTE 2 The measures in this table can be used to varying effectiveness according to Table B.6, which gives examples for 
low and high effectiveness. The effort required for medium effectiveness lies somewhere between that specified for low and 


high effectiveness. 


NOTE 3 The overview of techniques and measures associated with this table is in Annex B of IEC 61508-7. Relevant sub Slide 2-6 
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Scope of Functional Safety Management Systems 


It is important not to confuse FSM with the Site Safety Management 
System (SMS) which details how the business manages safety and 
meets its regulatory and legislative responsibilities 


FSM supports the overall site safety performance and an integral part of 
the site SMS 


FSM compliance should also be included in Key Performance Indictors, 
Process Safety Indicators, and Risk Analysis 


IEC 61511-1 life cycle framework - equipment, software and 
management systems that comply with IEC 61508 will also comply with 
IEC 61511 simplifying project procurement and planning for 
obsolescence for legacy systems. 


Slide 2-7 


= ProSalus Functional Safety Engineering 


SAFETY CONSULTANTS 


IEC 61511 Lifecycle Concept 


(OL) Juewssesse Ajoyes jeuoHoUN) 9 Ajajyes JeuOHOUNY Jo juUsWAebeuUeL\ 


Based on IEC 61511-1 Figure 8 


Hazard & Risk Assessment (1) 
& Allocation of Safety functions to protection layers (2) 
sh . 
oy tT Analysis Phase 
< 
c Safety requirements specification for the 
) 
2 safety instrumented system (3) 
o = 
® Fr sassiege 1 | 2 § 
EB} Design & engineering of safety Design & development of as 
a Instrumented system (4) other means of risk reduction on 
£ > Realization S) 
ws —_—_—_—__" J Phase — 
= FSA stage 2 | 6 
2 = Installation, commissioning & validation (5) 
5 | FSA Stage 3 | 
5 L | * 
a ———s Operation & Maintenance (6) 
3 ———_———— ee) 
gi 2 Operation 
—— Modification (7) Phase 
| FSA Stage 5 | 
Decommissioning (8) 
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IEC 61508 Lifecycle Concept 
1. Concept 
v 
2. Overall scope definition 
s | 
: By 
iS 3. Hazard and risk analysis 5 
® ¥ g 
2 iw] 4. Overall safety requirements 2 
Ss fe} tT r) 
7 iz} < = 
iF £ 5. Safety requirements allocation @ on 
3 = i) 
a © v v v v at o 
3 a 6. Overall operation 7. Geewlliecaiiaty 8. Overall installation 9. SRS E/E/PES » < 
and maintenance sles e and commissioning was =. 
a = ; validation planning ; realization (eo) > 
a To) planning planning 5 o 
2 a 
5 s i 
o ¥ n 
Fen a 
Me 12. Overall saul commissioning Back to appropriate 3 
o —= overall safety 7) 
E 13. Overall safety validation lifecycle phase =I 
+ 
14. Overall operation , maintenance , repair +>] 15. Overall modification & 
Vv retrofit 
16. Decommissioning or disposal 
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Typical contents for an IEC 61511 FSM System 


Functional Safety Policy 
Management Of Functional Safety 
Functional Safety Life-Cycle 
Verification 

Process Hazard and Risk Assessment 
Allocation Of Safety Functions 
Safety Requirements Specification 
Design and Development 

. Application Software 

10. Factory Acceptance Testing 

11. Installation and Commissioning 

12. Validation 

13. Operation and Maintenance 

14. Modification 

15. Decommissioning 

16. Information and Documentation 
17.Product Supply and Safety Manual 


OMNOAOARWN> 
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Management of Functional Safety 


¢ Requirements: 
= General: 
° Defined policy and strategy for achieving safety 
. Defined functional safety indicators (PSM — HSG254) 
° Leading & Lagging Indicators 
. Safety Management System (HSG65) 


" Organisational Competence: 


. Responsible persons, departments & organizations 
. Identified for each of the lifecycle phases 
. Competency assurance at each stage (HSE — CMS / IET Guidance) 
* Knowledge, training, experience and application 
* Knowledge of legal and safety regulations 
Understanding of hazards and consequences 
« Understanding of novelty and complexity of technology 
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Functional Safety Policy 


=» Commitment to promote sound integrity management under the 
umbrella of IEC 61511 


s Policy to design, build, install, commission and service the SIS in 
accordance with IEC 61511 


= Strategy to communicate, promote and monitor a FS conscious 
attitude by the methodical implementation of formal FSM procedures. 


=» Commitment to carry out FS Audits and Competency Assessment. 


= Success can be measured in terms of achieved system functional 
safety and achieving the SIL throughout the life of the SIS . 

«» FS system must be systematically audited and reviewed and all 
personnel, working on or responsible for safety related systems, are 
required to adhere to the procedures 
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Functional Safety Engineering 


Management of Functional Safety 


* Requirements 


¢ Implementing and monitoring procedures 
« PHA Procedure 
« Safety Requirements Template / Checklist 
¢ Functional Safety Management Plant Template 
¢ Design Procedures 
¢ Hardware / Software Verification Procedure 
¢ Hardware / Software Validation Procedure 
¢ Functional Safety Assessment Procedure 
¢ Functional Safety Audit Procedure 
« Change Management, Software Modification & Impact Analysis 
¢ Software configuration management — IEC 61511 
¢ Planning and procedures for 
* Software Compliance — e.g. IEC 61131 
* Application Software Development 
* Software Integration - Module & Firmware Slide 2 - 13 
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Functional Safety Engineering 


Typical Safety Lifecycle Documentation 


Phase Information 
All phases Safety plan, plans for each phase of the lifecycle, IEC 61508 table of Techniques 
& Measure 


Hazard and risk analysis & Allocation 
of Safety Functions 


HAZOP, SIL Determination, LOPA, ETA, FTA, QRA, COMAH etc reports 


Safety Requirements 


Speci 


ication with all safety functions and their functional and integrity 


requirements, cause and effects 


Design & Engineering 


SIS design, FDS, SDS, SMDS, HFT,GA, Control and logic philosophy, SLD, 


circui 


diagrams, manuals, reliability analysis etc 


Installation and commissioning 


Checklists, Integration, FAT, SAT specification and reports, Installation and 
commissioning plans and functional checklists 


Safety validation 


Functional safety Assessment, Verification and Validation report 


Operation and maintenance 


Functional Testing, Inspection and Maintenance Logs, FS audit reports 


Modification and Decommissioning 


Change management / modification request, impact analysis reports, 
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Functional Safety Verification & Validation, Assessments, Audits 
« Verification - (IEC 61511 Clause 7) 
@ Verification is carried out after each lifecycle phase 
+ Check of values used in LOPA 
+ Check of failure data used and calculations undertaken 
+ Check of SFF and correct Hardware Fault Tolerance applied 


= Validation - (IEC 61511 Clause 15) 
¢ Validation is a phase in the lifecycle 


Validation is carried out at the end of the Project / Modification, before hazards 
are present in the process 


@ Validation verifies that the SRS has been met 


=» Functional Safety Assessment (FSA) - (IEC 61511 Clause 5.2.6) 
@ Assesses that the FS lifecycle plan has been correctly implemented 
@ 5 assessment stages during the lifecycle — Stage 3 mandatory 
@ Must be carried out with sufficient independence to meet the target SIL 
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Functional Safety Verification Report 


a Scope & boundaries of verification 
@ What is being verified — (e.g. checking PFD calculations) 


¢ Information that verification is to be carried out against — (e.g. SIL 
target) 


s Who is verifying — (person, competence & level of independence) 


=» Procedures, measures and techniques to used for verification activity — 
(e.g. FTA to check RBD) 


= Tools and supporting analysis — (e.g. failure data, confidence levels) 


Slide 2 - 16 


Copyright: ProSalus Ltd 2011 


Functional Safety Engineering 


Copyright: 


= ProSalus Functional Safety Engineering 


SAFETY CONSULTANTS 


Functional Safety Verification Report cont’ d 


=» Howwill non conformances be handled — (e.g. action log / 
priority) 
= Declaration of pass/fail criteria - (e.g. Tolerances) 


=» How failure / non-compliance will be managed 


= Typical example: 
¢@ Loop Calculations 
Correct software test methods for target SIL (61508 tables) 
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Functional Safety Validation Report 
Scope & boundaries of Validation 
@ What is being validated — Description of SIS & associated devices 
@ IEC 61511 Clause 15 requirements addressed and included in SRS 


¢ Information that validations is to be carried out against - SRS, Cause 
& Effects, function charts etc 


Who is validating — person, organisation, competence & level of 
independence 


Procedures, measures and techniques to used for validation activity — 
e.g. loop testing, calibration procedures, simulation of application 
software 


Tools and supporting analysis — e.g. test instruments calibrated to 
traceable standard 
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Functional Safety (SIL) Validation Report cont’ d 


=» How will non conformances be handled — e.g. action log / priority 


= Tools & techniques appropriate for Target SIL 
@ IEC 61508-2 — Table B.5 
@ IEC 61508-3 — Table A.7 


= Declaration of pass/fail criteria - e.g. SRS not met, logic not as 


per Cause & Effect. Timing requirements not met 
= Typical example: 


« Completed Loop test procedure 


¢ Correct software test methods for target SIL (61508 tables) 
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Table B.5 — Techniques and measures to avoid faults during E/E/PES 
system safety validation (see 7.7) 


Technique/measure See siL1 siz SIL3 sIL4 
IEC 61508-7 
Functional testing B.5.1 HR HR HR HR 
high high high high. 
Functional testing under environmental B.6.1 HR HR HR HR 
conditions high high high high 
Interference surge immunity testing B.6.2 HR HR HR HR 
high high high high 
Fault insertion testing (when required B.6.10 HR HR HR HR 
diagnostic coverage = 90 %) high high high high 
Project management B14 M M M M 
low low medium high. 
Documentation B12 M M M M 
low low medium high. 
Static analysis, dynamic analysis and failure B64 - R R 
analysis B65 low low medium high 
B.6.6 
Simulation and failure analysis B.3.6 - R R 
B.6.6 low low medium high 
“Worst-case” analysis, dynamic analysis and B67 - - R R 
failure analysis B65 low low medium high 
B66 
Static analysis and failure analysis B64 R R NR NR 
(see note 4) B.6.6 low low 
Expanded functional testing B68 - HR HR HR 
low low medium high 
Black-box testing B52 R R R 
low low medium high 
Fault insertion testing (when required B.6.10 R R R R 
diagnostic coverage < 90 %) low low medium high. 
Statistical testing B53 - - R R 
low low medium high 
“Worst-case” testing B69 - - R 
low low medium high 
Field experience B54 R R R NR 
low low medium 


This table is divided into three groups, as indicated by the sidebar shading. All techniques marked “R’ in the grey and black 
shaded groups are replaceable by other techniques within that group, but at least one of the techniques of the grey shaded 
group (analytical techniques) and at least one of the techniques of the black shaded group (testing techniques) is required. 


NOTE 1 For the meaning of the entries under each safety integrity level, see the text preceding table B.1 

NOTE 2 Most of these measures in this table can be used to varying effectiveness according to table B.6, which gives 
examples for low and high effectiveness. The effort required for medium effectiveness lies somewhere between that specified 
for low and high effectiveness. 


NOTE 3 The overview of techniques and measures associated with this table is in annex B of IEC 61508-7. Relevant sub 
clauses are referenced in the second column. 


NOTE 4__ Static analysis and failure analysis is not recommended for SIL3 and SIL4, because these techniques are not 
sufficient unless used in combination with dynamic analysis. 
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Table A.7 - Software aspects of system safety validation (see 7.7) 


TT 
a 
[2 Pres Siiatenedoing | csi0 |r | e | mm | om | 
[Sweden Tre |e ee | 


4 Functional and black-box testing B.5.1 HR HR HR HR 
B.5.2 
Table B.3 


5 Forward traceability between the software safety 
Tequirements specification and the software safety 
validation plan 

5 Backward traceability between the software safety 

requirements specification and the software safety 
validation plan 

NOTE 1 See Table C.7 


NOTE 2 The references (which are informative, not normative) “B.x.x.x”, “C.x.x.x” in column 3 (Ref) indictate detailed 
descriptions of techniques / measures given in Annexes B and C of IEC 61508-7 


* Appropriate techniques/measures shall be selected according to the safety integrity level. 
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IEC 61511 Clause 15 - Validation activities must include: 


1. 
2. 
3. 
4. 
5. 
6. 
7. 
8. 


SIS performs in all operating modes as identified in the SRS; 

Adverse interaction of BPCS or other systems has no affect on SIS; 
SIS properly communicates & Computations are correct; 

Sensors, logic solver, & final elements perform in accordance with SRS; 
SIS documentation is consistent with the installed system; 

Confirmation that SIF performs as specified on invalid PV values; 

The proper SD sequences activate with correct annunciation / display; 


SIS reset , bypass, start up overrides & manual SD functions perform as 
SRS; 


9. The proof-test intervals are documented in the maintenance procedures; 
10.Diagnostic alarm functions perform as required; 


13.Confirmation that the SIS performs as required on loss of utilities & 
returns to the desired state on reset; 


14.Confirmation that the EMC immunity, has been achieved. Slide 2 - 22 


Copyright: ProSalus Ltd 2011 


Functional Safety Engineering 


= ProSalus Functional Safety Engineering 


SAFETY CONSULTANTS 


Functional Safety Assessment IEC 61511 Clause 5.2.6 


Investigation, based on evidence, to judge the functional safety achieved by 
one or more protection layers 


As a minimum 1 FSA must be carried out at Stage 3 prior to hazards being 
present 


To be compliant with the requirements of IEC 61511 FSA should be carried 
out at the following stages of a project: 


@ Stage 1 - After HRA, Protection Layers identified and SRS complete 
@ Stage 2 - After SIS design 


@ Stage 3 — After Installation, pre-commissioning, validation & operation 
and maintenance procedures have been developed. 


@ Stage 4 - After gaining experience in operating and maintenance 


@ Stage 5 - After modification and prior to decommissioning of a SIS 
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The Functional Safety Assessment must confirm 


* The PHRA has been carried out (Clause 8); 

* The PHRA recommendations have been implemented or resolved; 

* MOC procedures are in place and have been implemented; 

* The recommendations arising from previous FSA have been resolved 


* The SIS is designed, constructed and installed in accordance with the 
SRS, any differences having been identified and resolved; 


* The SIS safety, operating, maintenance and emergency procedures are in 
place; 


* The SIS validation planning is appropriate and the validation activities 
have been completed; 


* Employee training has been completed and appropriate information about 
the SIS has been provided to the O&M personnel; 


* Plans or strategies for implementing further FSAs are in place. 
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Typical Information required for FS Assessment 
Results for previous FS assessments & HRAs 
Risk Targets and Risk Reduction measures implemented 
Allocated Safety Requirements for Protection Layers 
Safety Requirements and Cause and Effects 
Identified SIFs and Verification Data 
Verification & Validation Reports (Inspections, FAT, SAT, Commissioning) 
Functional Safety Management Procedure 
SIS Operation and Maintenance Reports & Procedures 
Details of SIS Modification and Impact Analysis 
Development & production tools used (S/W simulation, Test equipment) 
Operating history including data to be used for Prior use arguments 
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Functional Safety Audits 
Similar techniques required as for Quality Auditing 
Could be managed by Quality Department if checklist developed 


Audits that Functional Safety Management procedures are being 
correctly implemented not technical content 


Six monthly for a new systems / Annual for mature systems 
Auditor must be sufficiently independent from people doing the work 
Non Conformances need to be prioritised and actioned 

Recording and follow-up critical 

Information required for FS Audit 

FSMP — Responsible Departments / Persons 
FSM & Competency management Procedures 
Results from previous Audits 
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Level of Independence Requirements 
IEC 61508-1 Tables 4 & 5 


Minimum Level of Consequences or Safety Integrity Level/Systematic capability 
Independence 

1/A 2/B 3/C 4/D 
Independent person x x1 Y ¥ 
Independent Department - X2 x1 ¥ 
Independent Organization - - X2 x 


X2 applies depending on previous experience, degree of complexity, novelty of 
design, technology 
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Management of Change (Clause 5.2.6.2.2 & 17) 


=» A modification procedure needs to be included in FSM 
= Impact Analysis needs to be carried out to assess impact on FS 


=» Review documentation — where in the lifecycle does impact have an 
effect on safety possibly even back to Phase 1 - PHRA 


=s We need to understand the impact of change — such as: 


@ Replace a safety component with a different manufacturer 
(No assessment required for like for like replacement) 


@ How much retesting is required (modular design reduces impact 
of retesting) 

« Need to consider verification and revalidation requirements 
Update all impacted documentation with change 


=» Competent Authority to sign off 
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» Functional Safety Capability Gap Analysis 


Sd 


a 


Requirement to identify weaknesses / gaps in the FSM system 


Based on the concept of Targets Of Evaluation (TOES) first 
introduced in the CASS guidelines (www.cass.uk.net) 


Adapted for IEC 61511 FSM requirements 


Assesses the current status of an organisations — plans, procedures 
and work instructions 


Maps FSM to IEC 61511 Part 1 requirements and relevant industry 
guidance as appropriate 


Provides recommendations for improvements 


Determines current Functional Safety Capability 
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=» Scope of FS Gap Analysis 


¢- ¢ ¢ 


Functional Safety Policy 
Functional Safety Procedures 
Functional Safety Life Documentation 


Other company procedures were appropriate e.g. training 
records, disaster recovery procedures 


Records of all activities concerned with Functional Safety 
Include IEC 61508-1/2/3 and 6 were appropriate 


Competency Management System must be included 
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FUNCTIONAL SAFETY MANAGEMENT SYSTEM - MAPPING TABLE TO STANDARDS 


T.O.E. Number/Description Procedures and Controls Required | 1EC61511 Refs. Auditors Comments Action 
to Comply (Clause. Para) 


General Requirements Functional Safety © Management 2. Company does not | 1. Develop a formal 
System currently operate an methodology document, 
informal FSM based on the based on the existing QMS 
61511 standard. procedures to capture 
Company functional safety 
processes 


. Review the existing QMS 
procedure against the 
61511 lifecycle 
requirements and develop 
or modify procedures to 
ensure all clause are 
adequately addressed 


General Requirements Functional Safety Policy Statement No formal statement and | 3. Prepare statement to 
strategy document in place | include top level strategy / 
at the time of the audit approach to FS 


Typical FS gap analysis record sheet 
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=» The mapping leads to recommendations to either update, revise or 
introduce new procedures and work instructions and systems to 
improve compliance 


= Changes to existing systems should be implemented through a: 
@ Roll out exercise through out the organisation 
@ Series of workshops / toolbox talks to keep staff up to date 


=» Must include competency testing and assessment of staff that will be 
directly interfacing with the SIS including operations, maintenance 
and engineering. 
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Example of the Planning Process 
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Hazard & risk assessment: Clause 8 


1 


Allocation of safety functions to protection layers: Clause 9 


Safety requirements spec. for the SIS: Clauses 10 and 12 


Verification 


Design and engineering of the SIS: Clauses 11 and 12 


FSM & FSA 


Modification: Clause 17 


Decommissioning: Clause 18 


=| 
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IEC 61511 Safety Lifecycle Phases 
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EEMUA 222 Competency Assessment Form Lifecycle Phases 1 to 3 
Safety Competence Range statement Competence components ‘Assessor Gaps and Gap management 
lifecycle requirements (specifies the context) (assessment is against these components) comments and | closure actions actions 
phase evidence 
T. Hazard and | Can Tully participate in For SIS equipment and 1.1 Understands principles of hazard identification, hazard (Record verbal _ | (List identified (State how each gap 
Risk Analysis | hazard identification, hazards associated with analysis and HAZOP and CHAZOP studies. and written gaps against will be managed until 
hazard analysis, hazard plants X, Y and Z. P evidence of competence the candidate is re- 
and operability (HAZOP) 1.2 Understands where hazards may be introduced by the SIS. | meeting requirements for | assessed as 
studies, and 1.3 Has experience of participating in hazard identification, competence the role and competent for the role, 
computer/control HAZOP hazard analysis or HAZOP and CHAZOP studies. component actions to close | e.g. seek approval of 
(CHAZOP) studies. requirements) gaps e.g. AN Other, supervised 
training, by a competent 
alternative work | person) 
experience) 
2. Allocation of | Can effectively allocate For the technologies and | 2.1 Understands the effectiveness of different types of 
Safety safety functions to SIS, operational processes on | protection layers and appropriate credit that can be taken for 
Functions to other technology and plants X, Y and Z. each. 
Protection procedural protection 7 7 
Layers layers as carried out in 2.2 Has experience of allocating safety functions to protection 
LOPA studies. layers. 
2.3 Has experience of participating in or leading SIL 
determination using LOPA. 
2.4 |s familiar with use of SIL determination software, if 
appropriate. 
TSafely Can develop safety For the technologies and _ | 3.1 Knows and understands how to develop functional 
Requirements | requirements specification } hazards associated with specifications. 
Specification | for the SIS. plants X, Y and Z. . 
for the SIS 3.2 Knows and understands how to develop integrity 
specifications. 
3.3 Has experience of developing a Safety Requirements 
Specification including role statements and functional and 
integrity specifications for SIS in accordance with IEC 61511 
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Appendix 5 — Functional Safety Management Phase 4a — Design and Engineering 
of Safety Instrumented System 
Project Title: Upgrade of Alvheim HP Knock Out Drum Level Instrumentation 
Project Number: WO 222 
Safety Lifecycle: Phase: 4a 
Project Plan: Reference: 
Objectives: 

* To design one or more safety instrumented systems to provide the safety instrumented functions and meet the specified safety integrity 

levels. 


Description: Design and Engineering of Safety Instrumented System 


Scope: 
+ The E/E/PE safety instrumented systems design development. 


Applicable BS EN 61511 References: 
BS EN 61511-1, Figure 8, Table 2 
Objectives: 11.1, 13.1 

Requirements: 11.2, 13.2 

Verification: 7 


Safety Lifecycle Phase 4a - Su 


orting Information 


Document Reference 


Input Information 


Output Information 


3203-T-SOR-S-RA-43-0003-00 — | WO 222 HP KO Flare Drum Overfill 
Revision 04 


Protection System (OPS) Safety 
Requirements Specification -Data sheet 


Kongsberg FDS — Upgrade of HP Knock Out Drum 
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Functional Safety Competency 
Assessment (FSCA) 
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« HSE Competency Management System Guidance 
« Compliance is Mandatory 
« 4Phases: Plan, Design, Operate, Audit and Review 
¢ 15 Principles to consider 
« HSE/BCS/IET competencies guidelines 
« levels of competence 
¢ functions and ‘jobs’ 
« example requirements 
« Assessment 
« Continuing Professional Development (CPD) 
« Requirement for Professional Institutes 
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» Competency Programs 


Institutes - objective to set (members) apart from others in the field 


Functional Safety Certified Engineer - TUV based schemes, with 
international membership based around examination and Functional 
Safety experience 


HSE Competency Management Scheme - Based on Institute of 
Railway Signalling Engineers (IRSE) - well-established scheme, 
focused on industry requirement 


HSE/IET/BCS in the UK - general competencies for safety 
practitioners based on IEC 61508 - largely workplace/experience 
based self assessed 


EEMUA 222 - Based on process industry requirements 
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Guidelines published by IET from HSE/IET/BCS study 
- focuses on electrical, electronic and programmable electronic 
systems 


Competencies of four types 
- technical skills 
- e.g. hazard analysis, report writing 
- behavioural skills 
- €.g. personal integrity, interpersonal skills, problem solving, 
attention to detail 
- underpinning knowledge 
- e.g. domain (application area) knowledge 
- underpinning understanding 
- e.g. principles of safety and risk 
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Structure of the Guidelines 


s The guidelines are organised around functions 
- these are ‘job functions’ , not system functions 
- e.g. independent safety assessment (ISA) 


=s Competency levels 
- three levels are distinguished within each function 
- supervised practitioner 
- work always checked by a practitioner or expert 
- practitioner 
- capable of working alone or supervising others 
- expert 
- can take overall responsibility, and work in novel situations 
=» Guidance on operation of a competency scheme 
- mapping to organisation 
- assessing individuals 
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Functions in the Guidelines 


a Initial set of ‘job functions’ 
- C1 ~corporation functional safety management (CFM) 
- C2 ~ project safety assurance management (PSM) 
- C3 ~ safety-related system maintenance and modification (SRM) 
- C4 ~ safety-related system or services procurement (SRP) 
- C5 ~ independent safety assessment (ISA) 
- C6 ~ safety hazard and risk analysis (HRA) 
- C7 ~ safety requirements specification (SRS) 
- C8 ~ safety validation (SV) 
- C9 ~ safety-related system architectural design (SAD) 
- C10 ~ safety-related software realisation (SSR) 
- C11 ~ safety-related hardware realisation (SHR) 
- C12 ~ human factors engineering (HF) 
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Sets of Competencies 


= For each function, competencies are divided into 
- function related 
- which apply to the function as a whole 
- e.g. ISA 14 Principles of functional safety assurance 
Has a knowledge and understanding of the principles of functional safety 
assurance and can relate them to a typical safety lifecycle model 
- task related 
- which apply to individual tasks within the function 
- e.g. ISA 5 Reviewing safety documentation 
Accurately and systematically review documents, supported by 
discussions to clarify ambiguities and understanding where necessary, to 
obtain evidence to support a judgement on whether a system has satisfied 
its functional safety requirements 


« Criteria are then set out against these competencies 
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Sample Criteria 


ISA 5 Reviewing safety documentation 


Accurately and systematically reviews documents, supported by discussions to clarify ambiguities and 
understanding where necessary, to obtain evidence to support a judgement on whether a system has 
satisfied its functional safety requirements 


Supervised Practitioner Practitioner Expert 
Has successfully performed Can illustrate with e.g. review Can illustrate through review 
review work requiring a high reports, witness testimonies procedures and review records, 
degree of accuracy how inaccuracies omissions and | how actions have been taken to 
deficiencies have been ensure the accuracy of design 
identified in reviewing safety- reviews carried out as part of 
related system documentation independent safety 
as part of independent safety assessments. Can illustrate 
assessments how insufficient accuracy in 
reviewing documentation has 
led to uncertainty with regard to 
a safety assessment 


In this case, relatively clear progression of capability 
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Assessment 


= Guidelines identify six evidence types 
assignment and/or project records (AP) 
- engineers log books 
workplace observation (WO) 
- usually evidence from supervisor/line manager 
competence test (CT) 
- might be test on content of relevant standards 

- e.g. CASS assessment 
witness testimony (WT) 
- more general ‘testimonial’ than workplace observation 
oral (OR) 
- response to questions at the assessment meeting 
documentary evidence (DC) 
- €.g. project reports or papers 
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Adapting for an Organisation 


« The guidelines acknowledge that this needs to be done 
- suggested process 
- identify a responsible person (presumably at least expert CFM) 
- this person audits the organisation to identify 
- safety related functions (in the safety process, not in products) 
- staff carrying out safety work 
- who else should be included 
it is expected that some ‘jobs’ in a given organisation will mix 
functions in the guidelines 
- the responsible person should modify the criteria to match the 
organisation and document the results 
- this may mean moving functions 
- @.g. moving (copying) testing from safety validation (SV) to 
human factors engineering (HF) if safety-related human 
interface tests are carried out 
- function related competencies may also need to be moved 
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Assessment 


=» Assessment process (scheduled) managed by responsible 
person 
- assessors allocated for individuals 
- with support of ‘technical experts’ if necessary 


=» Assessments are done through meetings 
- 10-15 minutes per task or function related competency 
- expected outcomes 
- assessment 
- profile against competency statement for function 
- recommendations 
- e.g. training 
- information to help in team building 
=» Assessment scheme kept under review 
- to improve the scheme, as necessary 
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Competency Statement: ISA5 Reviewing safety documentation 


Summary of evidence provided including Evidence Type OR 
context 


Gave presentation on recent project situation where it was found 
during review of the safety documentation that the treatment of 
software failures in system fault was consistently incorrect. 


| Expert 


| Practitioner 


Supervised Practitioner 
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Experienced analyst, but needs more training in planning and eliciting 
information 


Expert 


Practitioner 


Supervised 
Practitioner 
In order to obtain expert level the candidate requires: 


1 Training in preparation of safety assessment plans and maintaining plans 
through the lifetime of the project 


2 Experience in collecting information from all relevant stakeholders 


Date for next dd/mm/yyyy 
assessment 
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Observations 


s Individual skills and competencies are important 
- perhaps more so in safety than other areas, due to the 
difficulty of validating analyses 
- particularly crucial for ISA, due to importance of role 
» HSE/IET/BCS guidelines are quite comprehensive 


- but need to be interpreted for specific ‘jobs’ in companies 


« HSE guidelines now in place and are a mandatory requirement 
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